Skillv1.0.2

ClawScan security

Neat Freak · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 8:15 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions legitimately need to read and edit local docs and agent memory, but the metadata does not declare the config paths it will access and the SKILL.md directs broad filesystem edits (including possible global agent files), which is an incoherence worth warning about.
Guidance: Plain-language checklist before installing/using: - Understand what this skill will do: it will scan and may edit your repository docs and agent memory files (including per-user files under your home dir such as ~/.claude, ~/.codex, ~/.openclaw) unless you restrict it. This is consistent with its purpose but grants broad local file access. - Metadata mismatch: the skill metadata declares no config paths, yet SKILL.md directs reads/writes to home-dir agent files. Ask the publisher why config access was omitted from the metadata and request explicit declaration of the paths the skill will touch. - Prefer safety controls: only run the skill in a sandboxed workspace or on a branch. Ensure your repo is under version control and create a backup or branch before allowing automatic edits. - Require manual review: configure the agent (or your workflow) so file changes are proposed as diffs/PRs rather than committed directly. The SKILL.md requires actual edits — make those edits visible to you before they are finalized. - Limit scope: if possible, instruct the agent to operate only within the current project directory and to never write global agent files (~/.claude, ~/.codex, ~/.openclaw) unless you explicitly ask for cross-project sync. - Watch for secrets: docs and memory files can reference environment variables or credentials. Review any changes that add or expose such references. - If you need higher assurance: request the skill author add declared config paths and an explicit confirmation step in SKILL.md, or run the skill locally with an agent instance whose permissions are limited. Overall: the behavior aligns with its goal but the missing metadata declaration and the potential to edit global agent files make this suspicious rather than clearly benign. Proceed only after enforcing backups, PR-based reviews, and scope limits.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose is to reconcile project docs and agent memory, which reasonably requires reading and editing repository files and any per-agent memory. However the package metadata declares no required config paths or credentials while the SKILL.md explicitly instructs the agent to read/write user home paths (e.g. ~/.claude/projects/.../memory/, ~/.claude/CLAUDE.md, ~/.codex/AGENTS.md, ~/.openclaw/skills/). That mismatch (metadata says no config access, runtime instructions require it) is an incoherence.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to run filesystem commands (ls, find, grep) and to perform edits, creates, and deletions across project docs and agent memory. Those actions are consistent with the described purpose, but they give the agent broad read/write access to both project and potential global agent configuration files. The skill does not constrain or explicitly require user confirmation before making file changes.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or installed by the skill itself.
Credentials: noteThe skill requests no environment variables or credentials in metadata. However the runtime instructions direct the agent to read files (project docs, memory files, and possibly files that list environment variables). Reading these files may expose environment-related secrets indirectly; the SKILL.md does not declare or limit that access.
Persistence & Privilege: concernThe skill is not always-enabled and is user-invocable (good). But it instructs the agent to modify persistent artifacts including project docs and agent-global files (~/.claude, ~/.codex, ~/.openclaw). That capability can change cross-project agent state. Because metadata did not declare config paths and there's no install-time gating, this is a privilege that should be explicitly acknowledged and limited by the user.